ntxissacsc5 blue 3-shifting from incident to continuous response bill white
TRANSCRIPT
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Shifting from “Incident” to “Continuous” Response
Bill White CISSP, CISA, CRISC
Information Security Architecture
Nov 10, 2017
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Disclaimer:The opinions and content expressed in this presentation are my own and should not be assumed to be in alignment with those of my employer.
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Incident Response:An organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control (C2)
Internal Reconnaissance
Privileged Operations
Internal Pivot
Maintain Presence
Mission Objectives
How?Kill the attacker as early as possible in the Cyber Attack Lifecycle
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Incident Response:An organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control (C2)
Internal Reconnaissance
Privileged Operations
Internal Pivot
Maintain Presence
Mission Objectives
No, Really, How?• Really! Find them and stop them! • Take the knowledge you just gained and watch for
that to happen again.• AGGREGATION of intelligence is the key!
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control (C2)
Internal Reconnaissance
Privileged Operations
Internal Pivot
Maintain Presence
Mission Objectives
This IP address has been scanning the perimeter
A new exploit is identified in the wild
A email was delivered with a file attachment
Application error on workstation
Powershell execution or new executable
Anomalous DNS traffic detected
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
The core of the next-generation security protection process will be continuous, pervasive monitoring and visibility that is constantly analyzed for indications of compromise.
“Designing an Adaptive Security Architecture for Protection from Advanced Attacks,” by Neil MacDonald and Peter Firstbrook, 12 February 2014, refreshed 28 January 2016, ID G00259490, https://www.gartner.com/doc/2665515/designing-adaptive-security- architecture-protection
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Security Monitoring will encompass as many layers of the IT stack as possible including network activity, endpoints, system interactions, application transactions and user activity.The design and benefit of joining the foundational elements of intelligence, context, and correlation with an adaptive architecture will be explored.
Intelligence Driven Adaptive Security Architecture
Continuous Monitoring & Analytics
Continuous Monitoring
Embedded Analytics
Thre
at In
telli
gen
ce
Co
mm
un
ity
Inte
llige
nce
Ve
nd
or
Lab
s
Po
licy
Vu
lne
rab
ility
Sca
ns
Co
nte
xt
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
This presentation will provide security related scenarios where centralized security data analytics and adaptive security architecture are used to respond in a dynamic way to enable this next generation security protection.
Cyberspace
Enterprise
· On alert, it performs Enterprise-defined policy based operations (i.e. a particular analytic workflow) to enrich the alert
· It queries internal or external data sources for sightings of similar behavior, file hashes, etc
· In the case of a malware file, it may send the file to a file detonation service
· It determines whether further action is required
· If further action is required, it passes an action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and Analytics Engine
Decision Making Engine
Response/Action Engine
· Acts on notification of a Security Event. · Compares event to Enterprise-defined
policies· Determines if a security event requires
further action· On further action, passes the security
event to the Enrichment/Analytic engine as an alert
· Otherwise, it logs the security event
· On action alert, it determines which Enterprise-defined policy based Course of Actions (COA(s)) are appropriate
· A selected COA might block all traffic from a specific internet address or quarantine a specific host system
· Enterprise policies and processes may require notification and involvement of a human decision maker
· No enterprise COA might exist for a given action alert and it may initiate a manual workflow via CSDC
· On selection, it passes the selected COA(s) to the Response Engine
· The Response Engine translates the COA into a machine translatable execution workflow
· It sends this workflow to the Output Framework
· On receipt of a workflow, the Output Framework translates the workflow into device-specific response actions and sends to the appropriate enterprise sensors and controls
· Asset Data· Asset Data
Threats andVulnerabilities
Business Value and Context
Security and Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
Access ControlAccess Control
· On alert, it performs Enterprise-defined policy based operations (i.e. a particular analytic workflow) to enrich the alert
· It queries internal or external data sources for sightings of similar behavior, file hashes, etc
· In the case of a malware file, it may send the file to a file detonation service
· It determines whether further action is required
· If further action is required, it passes an action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and Analytics Engine
Decision Making Engine
Response/Action Engine
· Acts on notification of a Security Event. · Compares event to Enterprise-defined
policies· Determines if a security event requires
further action· On further action, passes the security
event to the Enrichment/Analytic engine as an alert
· Otherwise, it logs the security event
· On action alert, it determines which Enterprise-defined policy based Course of Actions (COA(s)) are appropriate
· A selected COA might block all traffic from a specific internet address or quarantine a specific host system
· Enterprise policies and processes may require notification and involvement of a human decision maker
· No enterprise COA might exist for a given action alert and it may initiate a manual workflow via CSDC
· On selection, it passes the selected COA(s) to the Response Engine
· The Response Engine translates the COA into a machine translatable execution workflow
· It sends this workflow to the Output Framework
· On receipt of a workflow, the Output Framework translates the workflow into device-specific response actions and sends to the appropriate enterprise sensors and controls
· Asset Data· Asset Data
Threats andVulnerabilities
Business Value and Context
Security and Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
· On alert, it performs Enterprise-defined policy based operations (i.e. a particular analytic workflow) to enrich the alert
· It queries internal or external data sources for sightings of similar behavior, file hashes, etc
· In the case of a malware file, it may send the file to a file detonation service
· It determines whether further action is required
· If further action is required, it passes an action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and Analytics Engine
Decision Making Engine
Response/Action Engine
· Acts on notification of a Security Event. · Compares event to Enterprise-defined
policies· Determines if a security event requires
further action· On further action, passes the security
event to the Enrichment/Analytic engine as an alert
· Otherwise, it logs the security event
· On action alert, it determines which Enterprise-defined policy based Course of Actions (COA(s)) are appropriate
· A selected COA might block all traffic from a specific internet address or quarantine a specific host system
· Enterprise policies and processes may require notification and involvement of a human decision maker
· No enterprise COA might exist for a given action alert and it may initiate a manual workflow via CSDC
· On selection, it passes the selected COA(s) to the Response Engine
· The Response Engine translates the COA into a machine translatable execution workflow
· It sends this workflow to the Output Framework
· On receipt of a workflow, the Output Framework translates the workflow into device-specific response actions and sends to the appropriate enterprise sensors and controls
· Asset Data· Asset Data
Threats andVulnerabilities
Business Value and Context
Security and Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
Associate BYOD
Associate BYOD
· On alert, it performs Enterprise-defined policy based operations (i.e. a particular analytic workflow) to enrich the alert
· It queries internal or external data sources for sightings of similar behavior, file hashes, etc
· In the case of a malware file, it may send the file to a file detonation service
· It determines whether further action is required
· If further action is required, it passes an action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and Analytics Engine
Decision Making Engine
Response/Action Engine
· Acts on notification of a Security Event. · Compares event to Enterprise-defined
policies· Determines if a security event requires
further action· On further action, passes the security
event to the Enrichment/Analytic engine as an alert
· Otherwise, it logs the security event
· On action alert, it determines which Enterprise-defined policy based Course of Actions (COA(s)) are appropriate
· A selected COA might block all traffic from a specific internet address or quarantine a specific host system
· Enterprise policies and processes may require notification and involvement of a human decision maker
· No enterprise COA might exist for a given action alert and it may initiate a manual workflow via CSDC
· On selection, it passes the selected COA(s) to the Response Engine
· The Response Engine translates the COA into a machine translatable execution workflow
· It sends this workflow to the Output Framework
· On receipt of a workflow, the Output Framework translates the workflow into device-specific response actions and sends to the appropriate enterprise sensors and controls
· Asset Data· Asset Data
Threats andVulnerabilities
Business Value and Context
Security and Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
Corporate Mobil Endpoint
Corporate Mobil Endpoint
· On alert, it performs Enterprise-defined policy based operations (i.e. a particular analytic workflow) to enrich the alert
· It queries internal or external data sources for sightings of similar behavior, file hashes, etc
· In the case of a malware file, it may send the file to a file detonation service
· It determines whether further action is required
· If further action is required, it passes an action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and Analytics Engine
Decision Making Engine
Response/Action Engine
· Acts on notification of a Security Event. · Compares event to Enterprise-defined
policies· Determines if a security event requires
further action· On further action, passes the security
event to the Enrichment/Analytic engine as an alert
· Otherwise, it logs the security event
· On action alert, it determines which Enterprise-defined policy based Course of Actions (COA(s)) are appropriate
· A selected COA might block all traffic from a specific internet address or quarantine a specific host system
· Enterprise policies and processes may require notification and involvement of a human decision maker
· No enterprise COA might exist for a given action alert and it may initiate a manual workflow via CSDC
· On selection, it passes the selected COA(s) to the Response Engine
· The Response Engine translates the COA into a machine translatable execution workflow
· It sends this workflow to the Output Framework
· On receipt of a workflow, the Output Framework translates the workflow into device-specific response actions and sends to the appropriate enterprise sensors and controls
· Asset Data· Asset Data
Threats andVulnerabilities
Business Value and Context
Security and Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
FirewallFirewall
· On alert, it performs Enterprise-defined policy based operations (i.e. a particular analytic workflow) to enrich the alert
· It queries internal or external data sources for sightings of similar behavior, file hashes, etc
· In the case of a malware file, it may send the file to a file detonation service
· It determines whether further action is required
· If further action is required, it passes an action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and Analytics Engine
Decision Making Engine
Response/Action Engine
· Acts on notification of a Security Event. · Compares event to Enterprise-defined
policies· Determines if a security event requires
further action· On further action, passes the security
event to the Enrichment/Analytic engine as an alert
· Otherwise, it logs the security event
· On action alert, it determines which Enterprise-defined policy based Course of Actions (COA(s)) are appropriate
· A selected COA might block all traffic from a specific internet address or quarantine a specific host system
· Enterprise policies and processes may require notification and involvement of a human decision maker
· No enterprise COA might exist for a given action alert and it may initiate a manual workflow via CSDC
· On selection, it passes the selected COA(s) to the Response Engine
· The Response Engine translates the COA into a machine translatable execution workflow
· It sends this workflow to the Output Framework
· On receipt of a workflow, the Output Framework translates the workflow into device-specific response actions and sends to the appropriate enterprise sensors and controls
· Asset Data· Asset Data
Threats andVulnerabilities
Business Value and Context
Security and Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
ProxyProxy
· On alert, it performs Enterprise-defined policy based operations (i.e. a particular analytic workflow) to enrich the alert
· It queries internal or external data sources for sightings of similar behavior, file hashes, etc
· In the case of a malware file, it may send the file to a file detonation service
· It determines whether further action is required
· If further action is required, it passes an action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and Analytics Engine
Decision Making Engine
Response/Action Engine
· Acts on notification of a Security Event. · Compares event to Enterprise-defined
policies· Determines if a security event requires
further action· On further action, passes the security
event to the Enrichment/Analytic engine as an alert
· Otherwise, it logs the security event
· On action alert, it determines which Enterprise-defined policy based Course of Actions (COA(s)) are appropriate
· A selected COA might block all traffic from a specific internet address or quarantine a specific host system
· Enterprise policies and processes may require notification and involvement of a human decision maker
· No enterprise COA might exist for a given action alert and it may initiate a manual workflow via CSDC
· On selection, it passes the selected COA(s) to the Response Engine
· The Response Engine translates the COA into a machine translatable execution workflow
· It sends this workflow to the Output Framework
· On receipt of a workflow, the Output Framework translates the workflow into device-specific response actions and sends to the appropriate enterprise sensors and controls
· Asset Data· Asset Data
Threats andVulnerabilities
Business Value and Context
Security and Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
· On alert, it performs Enterprise-defined policy based operations (i.e. a particular analytic workflow) to enrich the alert
· It queries internal or external data sources for sightings of similar behavior, file hashes, etc
· In the case of a malware file, it may send the file to a file detonation service
· It determines whether further action is required
· If further action is required, it passes an action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and Analytics Engine
Decision Making Engine
Response/Action Engine
· Acts on notification of a Security Event. · Compares event to Enterprise-defined
policies· Determines if a security event requires
further action· On further action, passes the security
event to the Enrichment/Analytic engine as an alert
· Otherwise, it logs the security event
· On action alert, it determines which Enterprise-defined policy based Course of Actions (COA(s)) are appropriate
· A selected COA might block all traffic from a specific internet address or quarantine a specific host system
· Enterprise policies and processes may require notification and involvement of a human decision maker
· No enterprise COA might exist for a given action alert and it may initiate a manual workflow via CSDC
· On selection, it passes the selected COA(s) to the Response Engine
· The Response Engine translates the COA into a machine translatable execution workflow
· It sends this workflow to the Output Framework
· On receipt of a workflow, the Output Framework translates the workflow into device-specific response actions and sends to the appropriate enterprise sensors and controls
· Asset Data· Asset Data
Threats andVulnerabilities
Business Value and Context
Security and Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
Data ProtectionData Protection
· On alert, it performs Enterprise-defined policy based operations (i.e. a particular analytic workflow) to enrich the alert
· It queries internal or external data sources for sightings of similar behavior, file hashes, etc
· In the case of a malware file, it may send the file to a file detonation service
· It determines whether further action is required
· If further action is required, it passes an action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and Analytics Engine
Decision Making Engine
Response/Action Engine
· Acts on notification of a Security Event. · Compares event to Enterprise-defined
policies· Determines if a security event requires
further action· On further action, passes the security
event to the Enrichment/Analytic engine as an alert
· Otherwise, it logs the security event
· On action alert, it determines which Enterprise-defined policy based Course of Actions (COA(s)) are appropriate
· A selected COA might block all traffic from a specific internet address or quarantine a specific host system
· Enterprise policies and processes may require notification and involvement of a human decision maker
· No enterprise COA might exist for a given action alert and it may initiate a manual workflow via CSDC
· On selection, it passes the selected COA(s) to the Response Engine
· The Response Engine translates the COA into a machine translatable execution workflow
· It sends this workflow to the Output Framework
· On receipt of a workflow, the Output Framework translates the workflow into device-specific response actions and sends to the appropriate enterprise sensors and controls
· Asset Data· Asset Data
Threats andVulnerabilities
Business Value and Context
Security and Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
Applications
Applications· On alert, it performs Enterprise-defined
policy based operations (i.e. a particular analytic workflow) to enrich the alert
· It queries internal or external data sources for sightings of similar behavior, file hashes, etc
· In the case of a malware file, it may send the file to a file detonation service
· It determines whether further action is required
· If further action is required, it passes an action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and Analytics Engine
Decision Making Engine
Response/Action Engine
· Acts on notification of a Security Event. · Compares event to Enterprise-defined
policies· Determines if a security event requires
further action· On further action, passes the security
event to the Enrichment/Analytic engine as an alert
· Otherwise, it logs the security event
· On action alert, it determines which Enterprise-defined policy based Course of Actions (COA(s)) are appropriate
· A selected COA might block all traffic from a specific internet address or quarantine a specific host system
· Enterprise policies and processes may require notification and involvement of a human decision maker
· No enterprise COA might exist for a given action alert and it may initiate a manual workflow via CSDC
· On selection, it passes the selected COA(s) to the Response Engine
· The Response Engine translates the COA into a machine translatable execution workflow
· It sends this workflow to the Output Framework
· On receipt of a workflow, the Output Framework translates the workflow into device-specific response actions and sends to the appropriate enterprise sensors and controls
· Asset Data· Asset Data
Threats andVulnerabilities
Business Value and Context
Security and Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
Infrastr
ucture
Infrastr
ucture
Externally Supplied
Security Intel and Assets
Externally Supplied
Security Intel and Assets
· On alert, it performs Enterprise-defined policy based operations (i.e. a particular analytic workflow) to enrich the alert
· It queries internal or external data sources for sightings of similar behavior, file hashes, etc
· In the case of a malware file, it may send the file to a file detonation service
· It determines whether further action is required
· If further action is required, it passes an action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and Analytics Engine
Decision Making Engine
Response/Action Engine
· Acts on notification of a Security Event. · Compares event to Enterprise-defined
policies· Determines if a security event requires
further action· On further action, passes the security
event to the Enrichment/Analytic engine as an alert
· Otherwise, it logs the security event
· On action alert, it determines which Enterprise-defined policy based Course of Actions (COA(s)) are appropriate
· A selected COA might block all traffic from a specific internet address or quarantine a specific host system
· Enterprise policies and processes may require notification and involvement of a human decision maker
· No enterprise COA might exist for a given action alert and it may initiate a manual workflow via CSDC
· On selection, it passes the selected COA(s) to the Response Engine
· The Response Engine translates the COA into a machine translatable execution workflow
· It sends this workflow to the Output Framework
· On receipt of a workflow, the Output Framework translates the workflow into device-specific response actions and sends to the appropriate enterprise sensors and controls
· Asset Data· Asset Data
Threats andVulnerabilities
Business Value and Context
Security and Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
Advanced Detective Controls
Advanced Detective Controls
· On alert, it performs Enterprise-defined policy based operations (i.e. a particular analytic workflow) to enrich the alert
· It queries internal or external data sources for sightings of similar behavior, file hashes, etc
· In the case of a malware file, it may send the file to a file detonation service
· It determines whether further action is required
· If further action is required, it passes an action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and Analytics Engine
Decision Making Engine
Response/Action Engine
· Acts on notification of a Security Event. · Compares event to Enterprise-defined
policies· Determines if a security event requires
further action· On further action, passes the security
event to the Enrichment/Analytic engine as an alert
· Otherwise, it logs the security event
· On action alert, it determines which Enterprise-defined policy based Course of Actions (COA(s)) are appropriate
· A selected COA might block all traffic from a specific internet address or quarantine a specific host system
· Enterprise policies and processes may require notification and involvement of a human decision maker
· No enterprise COA might exist for a given action alert and it may initiate a manual workflow via CSDC
· On selection, it passes the selected COA(s) to the Response Engine
· The Response Engine translates the COA into a machine translatable execution workflow
· It sends this workflow to the Output Framework
· On receipt of a workflow, the Output Framework translates the workflow into device-specific response actions and sends to the appropriate enterprise sensors and controls
· Asset Data· Asset Data
Threats andVulnerabilities
Business Value and Context
Security and Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
VPN
ThreatsThreats CustomersCustomers
VendorsVendors
AssociatesAssociates
· On alert, it performs Enterprise-defined policy based operations (i.e. a particular analytic workflow) to enrich the alert
· It queries internal or external data sources for sightings of similar behavior, file hashes, etc
· In the case of a malware file, it may send the file to a file detonation service
· It determines whether further action is required
· If further action is required, it passes an action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and Analytics Engine
Decision Making Engine
Response/Action Engine
· Acts on notification of a Security Event. · Compares event to Enterprise-defined
policies· Determines if a security event requires
further action· On further action, passes the security
event to the Enrichment/Analytic engine as an alert
· Otherwise, it logs the security event
· On action alert, it determines which Enterprise-defined policy based Course of Actions (COA(s)) are appropriate
· A selected COA might block all traffic from a specific internet address or quarantine a specific host system
· Enterprise policies and processes may require notification and involvement of a human decision maker
· No enterprise COA might exist for a given action alert and it may initiate a manual workflow via CSDC
· On selection, it passes the selected COA(s) to the Response Engine
· The Response Engine translates the COA into a machine translatable execution workflow
· It sends this workflow to the Output Framework
· On receipt of a workflow, the Output Framework translates the workflow into device-specific response actions and sends to the appropriate enterprise sensors and controls
· Asset Data· Asset Data
Threats andVulnerabilities
Business Value and Context
Security and Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
SIEMSIEM
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
We will look behind the curtain of "marketecture" to the real and aspirational solutions for a SOC that will likely materialize as vendor products mature over the next few years.
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
What makes up the next generation of security protection?
“Integrated Adaptive Cyber Defense (IACD) Baseline Reference Architecture”, Johns Hopkins Applied Physics Laboratory https://secwww.jhuapl.edu/IACD/Resources/Architecture/IACD%20Baseline%20Reference%20Architecture%20-%20Final%20PR.pdf
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
The first step occurs when the Sensor/Control Interface receives notification of a Security Event from enterprise sensors.
Based on enterprise-defined policies and processes, the Policy Engine will determine that either the security event requires further action or it does not.
If further action is required, it will pass the security event information to the Enrichment/ Analytic Framework as an alert. Otherwise, it will simply log the security event.
Sensor (source)
Sensor (source)
Sensor (source)
Sensor (source)
Sensor (source)
Sensor / Control InterfaceSecurity
Event
Policy Engine
ALERT
Aggregation
Analytics
Policy EnginePolicy Engine
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Enrichment and Analytic Framework receives an alert, it will perform any number of operations (i.e. a particular analytic workflow) to enrich the alert information.
Based on the enriched information and enterprise policies and processes, the Analytic Framework will determine whether further action is required or not.
If further action is required, it will pass the enriched information as an action alert to the Decision-Making Engine. If no further action is required, it will simply log its activities.
Policy Engine Enrichment and Analytics Engine
ALERT
Sandbox Analytics
Full Packet Capture
3rd Party Analytics
Asset/Information Query
Vulnerability Query
Aggregation
Decision
Policy EnginePolicy Engine Enrichment EngineEnrichment Engine
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Decision-Making Engine will determine what Course of Action (COA) is appropriate For example, a selected COA might block all traffic from a specific internet address or quarantine a specific host system. It is possible that enterprise policies and processes require the notification and involvement of a human decision maker. It is also possible that no enterprise COA exists for a given action alert and the Decision-Making Engine may simply initiate a manual workflow via SOC. Once a COA is selected, the Decision-Making Engine will pass the selected COA(s) to the Response Engine.
Decision-Making EngineResponse / Action Engine
Courses of Action
Enrichment and Analytics Engine
Action Alert
Decision EngineDecision EngineAction EngineAction Engine
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
The Response/Action Engine translates the COA into a machine translatable execution workflow, which it sends to the Sensor interface.Upon receipt of an execution workflow, the Sensor Interface translates the workflow into device-specific response actions that it sends to the appropriate enterprise sensors and controls.
Sensor / Control
Interface
ControlControl (Action
Point)
Policy Engine
Response / Action Engine
Response Action
Work Flow
Decision-Making Engine
Courses of Action
Action EngineAction Engine
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
An Basic Example
Policy: • Is the laptop in the authorized
asset inventory?• Is the laptop configured and
patched to standards?Analytics:• Retrieve asset history from CMDB
or ARM• Retrieve vulnerability information
on this asset from VMDecision:• Allow DHCP to complete• Move the asset to the remediation
network for mitigationAction:• Do or do not. There is no try.
IDASA Framework
Is this asset in inventory?
Does it meet baseline config?
Remediation Network
Patch Management
YES
NO
YES
NO
EWR
Domain
CMDB
Service Ticket
Laptop Connects to the network
DHCP
CSDC
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Another Basic Example
Policy: • High Risk User?• High Risk Geo?• Prior Authentication Risk?• New Asset?
IDASA Framework
Is this a high-risk
user?Authentication
Domain
High Risk Users
YES
NO
Authentication Remediation Steps* Challenge/response
* MFA
Fail Geo Testing?
Security Analytics
High Prior Failed
Attempts?NO
YES
Different Device?
YES
NO
YES
AuthorizationNO
Analytics:• Retrieve credential memberships• Retrieve IP history• Retrieve authentication history• Retrieve asset informationDecision:Allow, Step Up Authentication, Send to remediation network
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
A Mature Example
Policy: • Approved executable?• Normal?• Privileged?Analytics:• Retrieve asset inventory• Retrieve executable history• Retrieve user/action historyDecision:• Run the executable in sandbox• Send Executable to malware
analytics• Enable full packet capture• Step up authentication
Executable
Is this an approved
application?
User Behavior Analytics
YES
NO
YES
NO
Sandbox Application
Malware Analysis
Open Service Ticket
Applications
Sandbox Application
Full Packet Capture
Elevated HIDS
Updated/Additional Intel
CMDB
Auth Remediation
YES
Security Analytics
Is this normal usage?
Priv Operation?
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Intelligence Driven Adaptive Security Architecture
Time to mature• Focus on addressing specific use cases while
building the engines• Leverage automation and orchestration• Fail CLOSED! (throw unknowns back to
humans for analysis and decision)Advantages• Detect, Respond, Recover at machine speed• Free up analysts to address complex incidents• Focus on gathering intelligence to feed
analytics
Stop being reactive!
Change from “Incident Response”
to “Continuous Response”
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Shifting from “Incident” to “Continuous” Response
QUESTIONS?By: Bill White CISSP, CISA, CRISC
@riskofinfosec
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
20
Thank you